"You configure the session owner of sessions to be either the firewall that receives the First Packet of a new session from the end host or the firewall that is in active-primary state (the Primary device). If Primary device is configured, but the firewall that receives the first packet is not in active-primary state, the firewall forwards the packet to the peer firewall (the session owner) over the HA3 link.
The session owner performs all Layer 7 processing, such as App-ID, Content-ID, and threat scanning for the session. The session owner also generates all traffic logs for the session.
If the session owner fails, the peer firewall becomes the session owner. The existing sessions fail over to the functioning firewall and no Layer 7 processing is available for those sessions. When a firewall recovers from a failure, by default, all sessions it owned before the failure revert back to that original firewall; Layer 7 processing does not resume."
Doubt -
1. If we configure one of the primary firewall as session owner which means as per the above stated content, the secondary firewall will pass the packet to session owner all the time, in that case what exactly secondary firewall is doing?
2. when the session owner failover happens, Is that existing sessions from the previous session owner will pass to the new one but layer 7 processing will not happen? I am not getting the point "Layer 7 processing does not resume"
Sorry in advance if you find this question silly.
Ta,
